Cyber Security in Business Organizations - Case Study Example

Cyber Security in Business Organizations Cyber Security in Business Organizations Information security is a growing challenge among organizations that have implemented information systems. With the incorporation of information technology into organizational operations, corporations have become vulnerable to a plethora of information security risks. Failure of information systems can cost organizations heavily in the form of declining consumer trust, monetary losses, and deteriorating shareholder confidence. Johnson and Goetz (2007) describe security risk management as a balance between “maintaining security” and keeping the business going. Information security failures tip the balance and expose organizations to the aforementioned threats. Organizations are challenged by the trend to ‘go global’ which implies that security programs should encompass the entire global market of a firm. In effect, this means that each individual unit of the firm dispersed globally should take responsibility for the security risks that are encountered. Despite having a strong central security infrastructure in place, ownership is an important issue that drives information security forward, especially in situations where the business critical applications lie outside the infrastructure (Johnson and Goetz, 2007). Internal organizational factors are also critical to the information security challenge. Education and consultancy within the organization has become important to ensure that employees understand what they are asking for so that security professionals can better respond to the need of the situation. However, spreading awareness through consultancy is not an absolute solution. Many organizational members are resistant to change and change management is a subject executives are often concerned about. Facilitating a proactive work culture and involving line managers to take responsibility and auditors to enforce security can be pivotal. This can ensure compliance and help deal with information security issues by making internal employees accountable (Johnson and Goetz, 2007). Protecting data and information in the midst of mobile technology has become an even greater challenge. The new age of smart phones has built a collaborative environment where protecting information security and intellectual property has become a great concern. Permissions are granted through a strong identity management system to access the information. However, a lot of it has to do with policy making and the enforceability of such policies. Compliance with information security standards is another challenge for many organizations as they are dictated by strict laws and regulations. Many organizations do not possess the funds necessary to implement security programs or allocate budgets to improve the existing system (Johnson and Goetz, 2007). Target received many red flags as the hackers attempted to get into the system. Only six months before the attack, Target had installed malware detection software created by FireEye. In addition to this, Target had a team of cyber security personnel in Bangalore, India to monitor their system. After the hackers attacked Target’s systems, FireEye – the security software – detected the malicious malware (Riley, Elgin, Lawrence, and Matlack, 2014). Even Target’s outsourced security professionals in Bangalore spotted the malware and alerted Target’s security team headquartered in Minneapolis. As the hackers continued installing 5 malwares, the system kept sending out alerts. Despite the red flags, Target did not respond to the security threats. Not only did it ignore the security breach, its security team chose to switch off the option where the malware could have been automatically deleted by FireEye (Riley, Elgin, Lawrence, and Matlack, 2014). Possible reasons for ignoring the alerts include skepticism regarding the efficacy of the FireEye software as well as other organizational factors. For one, turning off automatic malware deletion on FireEye could have been done to allow Tagret’s security professionals with a chance to review the situation in case the malware was not serious. Because the hackers used a very unsophisticated method to attack Target’s system, the threat could have been low on its priority list. Whitman (2003) points out that many a times, IT executives do not take security risk seriously because they think they have either addressed it effectively or because they consider it unimportant. Skepticism about the newly installed security software by FireEye could also be the reason why the risk was not assessed effectively and the alert was ignored. The fact that the hackers gained access through a vendor’s credentials added to the skepticism leading to poor assessment of the severity of the security risk. Having a vendor’s credentials could have seemed fairly credible which is why the security team did not quickly respond to the threat. Target’s security took a long time to respond to the security breach. Credit card information began leaking out on December 2nd however it was not until December 15th that the malware was finally removed (Riley, Elgin, Lawrence, and Matlack, 2014). It was not until federal investigators from the Department of Justice notified Target on December 12th that the company began following up on the matter. Between a time lag of 13 days, millions of credit card numbers, addresses, and phone numbers were stolen. Target did not notify its customers until December 19th – after it had resolved the issue – but their credit cards were already being charged for items ordered from Russia. In response to the damages made to the customers, Target CEO announced that the consumers will not have to pay for the charges. Target also carried out a thorough review of its information security system to analyze the case. This was followed by a formal investigation into the matter including a complete restructuring of its IT security infrastructure to prevent future attacks. This included efforts to speed up the transition into chip-enabled cards that are more secure than magnetic cards (Riley, Elgin, Lawrence, and Matlack, 2014). The thirteen-day delay involved in responding to the security risk reflects an inefficient response to the threat. However, it was a positive step by Target’s CEO to pay for the fraudulent charges made on customers’ credit cards. This demonstrated an effort to cover the damages made to the consumers. Further, the introduction of chip-enabled cards was a good decision as they are generally more secure than the magnetic strip cards that are common in the USA. Although restructuring of the information security system is not a permanent solution without enforcing strict policies within the company regarding compliance and immediate response to security vulnerabilities. Ideally, the red flag given by FireEye should have been taken seriously by Target’s security team. Delays in responding to the situation in a timely manner led to millions of credit card information being lost to hackers. In conclusion, the attack is an example of poor information security management despite having one of the most powerful cyber security softwares. Target’s investment into the malware detection software by FireEye was legitimate. The software proved its ability to detect malicious codes by sending out many alerts on the various occasions hackers tried to insert the malware. This shows that its current IT security infrastructure was strong enough to recognize vulnerabilities and even delete the malwares trying to steal information. Added to this is the fact that the hackers used an unsophisticated technique to gain access which could have easily been addressed. However, Target’s security team based in Minneapolis ignored the alerts showing poor decision making and response skills to counter the attack. Further, Target’s management did not have any check in place to ensure that someone was responsible. Since, no one took ownership of the issue, the unfortunate incident resulted in the loss of millions of sensitive data. Ultimately it all boils down to the fact the management showed poor response to the security threat, failing to follow up on the matter until it was notified by the Department of Justice. References Johnson, M., & Goetz, E. (2007). Embedding Information Security into the Organization. In 2007 IEEE Symposium on Security and Privacy (pp. 17-24). Oakland, California, USA: IEEE. Retrieved from http://digitalstrategies.tuck.dartmouth.edu/cds-uploads/publications/pdf/SecurityOrg.pdf Riley, M., Elgin, B., Lawrence, D., & Matlack, C. (2014). Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It. Businessweek. Retrieved 10 May 2015, from http://www.bloomberg.com/bw/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data Whitman, M. (2003). Enemy at the gate. Commun. ACM, 46(8), 91-95. doi:10.1145/859670.859675 Read More